Configure Dependendabot only to report semver releases for the github-actions ecosystem when using pinned hashs

[lgarron]

Select Topic Area

Question

Body

I maintain a project that contains the following configuration:

updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"

The project uses https://github.com/marketplace/actions/amazon-ecr-login-action-for-github-actions in some of its GitHub Action workflows.

Unfortunately, Dependabot sends us a pull request every week due to mechanical pushes to main at: https://github.com/aws-actions/amazon-ecr-login

We just want to receive a PR to our project when there is a tagged release for the action, and despite many attempts I have not been able to figure out how to do this. Everything in https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates implies that we should be getting PRs only for version releases, not individual commits to the dependency. For example, there is an option to ignore "version-update:semver-patch" but not, say, "version-update:commit".

I suspect this is because we actually pin the hash of the latest releases. That is, we specify aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 rather than ws-actions/[email protected] as a good security practice for an extremely sensitive operation. But upgrading on every commit to that action would be a security liability, if anything.

Is there a way to tell Depenabot only to send us PRs for semver updates, without lowering the security of our configuration?